Processor that detects when system management mode attempts to reach program code outside of protected space

ABSTRACT

A method is described that includes detecting that a memory access of system management mode program code is attempting to reach program code outside of a protected region of memory by comparing a target memory address of a memory access instruction of the system management program code again information that defines confines of the protection region. The method also includes raising an error signal in response to the detecting.

CROSS-REFERENCE TO RELATED APPLICATION

This patent application is a U.S. National Phase Application under 35U.S.C. §371 of International Application No. PCT/US2011/068281, filedDec. 31, 2011, entitled PROCESSOR THAT DETECTS WHEN SYSTEM MANAGEMENTMODE ATTEMPTS TO REACH PROGRAM CODE OUTSIDE OF PROTECTED SPACE.

FIELD OF INVENTION

The field of invention pertains to the computing sciences generally,and, more specifically, to a processor that detects when systemmanagement mode attempts to reach program code outside of protectedspace.

BACKGROUND

System management mode (SMM) is an operating mode of a computing systemin which normal execution (including operation of the operating system(OS)) is suspended, and special separate software (usually firmware or ahardware-assisted debugger, hereinafter referred to as “SMM code”) isexecuted in a high-privilege mode. Here, the SMM code is special codethat, ideally, fully comprehends the complete hardware details of theparticular computing system that it runs on.

Examples of possible SMM functions include: i) centralized systemconfiguration (such as the dedicated configuration of a specificcomputer); ii) handling of system events like memory or chipset errors;iii) security functions, such as flash device lock down or theforwarding of calls to a Trusted Platform Module (TPM); iv) systemsafety management functions, such as computer shutdown upon detection ofa high CPU temperature, turning fans on/off, etc.; and, v) powermanagement functions such as deep sleep power management and managementof voltage regulator modules.

Note that the awareness and reach of the SMM is far reaching for aparticular system. That is, typically, the SMM is permitted to haveunrestricted access into any aspect of the computer that it runs on. Asignificant security risk, therefore, is that the SMM might be“highjacked” or otherwise compromised by some form of malware orunwanted code. If the security of the SMM were to be breached, themalware could potentially disrupt or infect normal system operation ofany/all components within the system.

Typically, the SMM code is kept in a “highly privileged” region ofmemory. Part of the definition of the highly privileged and secureaspect of the SMM code is that no other code is permitted to access itwithin its special region of memory, nor is the SMM supposed to executecode that is stored outside the highly privileged region of memory.Thus, if malware is to attack the SMM, in all likelihood it will be aconsequence of the SMM running code or at least making a call to codethat is outside of the highly privileged region of memory. Upon thisevent, malware stored outside the protected region of memory can beincorporated into the operation of the SMM thereby compromising itssecurity.

Unfortunately it is becoming more and more difficult to keep the SMMcode within the confines of the protected region of memory. Thedifficult stems not only from the increasing sophistication of the SMMcode (as a function of increasingly complex hardware platforms andassociated features), but also, the reliance on, within the SMM, of OEMcode provided by OEM manufacturers of the different components that thesystem is composed of.

FIG. 1 shows a typical transition from normal operating mode into SMMmode. Upon the detection of an event 101 that is supposed to trigger theSMM code (such as a configuration event, a power management, etc.), aprocessor will save its state 102. After the processor state is saved,SMM begins execution out the protected region of memory 103.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is illustrated by way of example and notlimitation in the figures of the accompanying drawings, in which likereferences indicate similar elements and in which:

FIG. 1 shows a prior art SMM start up sequence;

FIG. 2 shows a system that can detect when SMM attempts to reach programcode that is outside of protected space;

FIG. 3 shows an SMM start sequence that enables a function that detectswhen SMM attempts to reach program code that is outside of protectedspace;

FIG. 4 shows an embodiment of a computing system.

DESCRIPTION

A solution to the problem of not being able to sufficiently control whenor how SMM code might attempt to reach code outside the protected regionof memory, is to build into the hardware of the processor a mechanismfor detecting and reporting an attempt by the SMM code to reach programcode that is outside the protection memory space.

FIG. 2 shows an embodiment of a generic processor pipeline 200. Theprocessor includes an instruction fetch stage 201, a data fetch stage202, an execution stage 203 and a write back stage 204. As is known inthe art, the execution stage 203 includes various functional units thatexecute the different instructions supported by the pipeline 200 and,thereby, the processor. One or more of these execution units istypically a memory access unit 205, or simply, memory unit, whosepurpose is to fetch data or instructions from memory.

In a typical case, an instruction is presented to the memory unit 205having an operand that specifies an address in memory 210 where an itemof data or an instruction is located (or a “page” of memory 210 wherethe item of data or instruction is located). The memory unit 205typically includes a hardware table walk or page-walk unit 206 thatcoordinates the read of the information from memory 210 (e.g., byissuing or overseeing a read transaction 211 directed to system memory210 for the desired information).

In one embodiment of the improved approach described herein, controlregister space 207 keeps information 208 that defines the confines ofthe highly protected region of memory 209 within system memory 210. Inan embodiment, information 208 is contained within two registers incontrol register space 207 (SMRR_Range and SMRR_Mask) that specify theconfines in protected space 209.

Information 208 is made available to the hardware table walk unit 206 sothat the hardware table walk unit 206 can comprehend the confines of theprotected space 209. In keeping with the theory that malware mightcorrupt the SMM code 214 if the SMM code 214 attempts to reach code thatis outside the protected memory space 209, according to one embodimentof the approach described herein, when the SMM code 214 is running, thehardware table walk unit 206 includes or is otherwise associated withlogic circuitry that compares the address operand of a memory addressinstruction that seeks to fetch program code against the address rangeor other definition of the confines of the protected space 209 containedin information 208 and received from the control register space 207.

If the address targeted by the instruction is determined to be outsidethe confines of the protected space 209, the hardware table walk unit206 generates a signal 212 (in one embodiment, an unrecoverable machinesignal check (MCHECK)) to the hardware that eventually triggersappropriate handler program code 216 (e.g., an MCHECK handler) withinthe SMM 214. In one embodiment, the signal 212 is implemented as aspecial Access_Violation_Detected bit that is set in control registerspace 207 upon detection of the offending code address.

As part of the error reporting process performed by logic circuitry inthe hardware in response to the detection of an out of range address,code violation information 213 (e.g., that identifies the address thatwas attempted to be reached outside the protected space, the nature ofthe instruction that attempted the offending memory access, stateinformation of the pipeline including the state of the program counter,etc.) is dumped into a storage resource 215 (e.g., register space, partof memory 210, disk) and an address 216 where the code violationinformation 213 is stored in storage resource 215 is written intomachine check register banks 217. The handler 216 looks to the machinecheck register banks 217, fetches the address 216 and retrieves the codeviolation information 213. Here, the handler 216 may store theinformation or aspects thereof to some other storage resource includingas a possibility remote storage (e.g., storage connected to thecomputing system through a network), report the incident to a user, etc.

According to one embodiment, the initial error signal 212 is onlygenerated when program code is attempted to be accessed by an offendingSMM memory access instruction (and not data). This permits SMM 214 toreach any item of data with out triggering an alarm.

Also, according to another or combined embodiment, the signal 212 willnot be generated if an offending memory access instruction stems from apredicted branch. Here, as is known in the art, some processor pipelineshave the intelligence to “guess” along which path a program's executionflow will be directed. As part of the guess, the memory execution unitsmay “pre-fetch” program code instructions that are presumed to be alongthe path that the program code will flow along. If the processor guessesincorrectly, the fetched program code is flushed. If the processorguesses correctly, the program code is executed.

In order to prevent a false alarm in the case where the processorpre-fetches offending instruction(s) outside the protected space 209 asa consequence of prediction but the processor guesses wrong such thatthe offending code is ultimately flushed, the hardware does not generatea signal 212 merely when offending code is pre-fetched as a consequenceof prediction. Rather, in an embodiment, the hardware will generate thesignal 212 in response to both: i) having flagged that the offendingcode was pre-fetched as a consequence of prediction; and, ii) the“guess” made by the hardware is ultimately deemed correct resulting inthe offending code being in the path of execution. Upon both of theseconditions being reached the signal 212 will be raised and errorhandling proceeds as described above.

In another embodiment, the logic that detects an offending address andgenerates the error signal 212 is enabled by the setting of a bit inhardware upon the SMM being newly entered. For example, referring toFIG. 3, upon a condition being detected 301 that triggers entry of theSMM, after the processor state is saved 302 (e.g., such that theprocessor is no longer currently executing any threads), the firmwareBIOS enables the memory access trap function 303 and the SMM proceeds tocommence operation 304. Depending on implementation the SMM may beconsidered to be part of the firmware BIOS. By making the enable bitonly settable by the BIOS firmware, malware is not permitted to resetthe bit so as to disable the function. In a further embodiment, when theSMM terminates and the processor state is restored, as part the SMMtermination/processor bring-back, the enablement bit is cleared suchthat the function is disabled.

A processing core having the functionality described above can beimplemented into various computing systems as well. FIG. 4 shows anembodiment of a computing system (e.g., a computer). The exemplarycomputing system of FIG. 4 includes: 1) one or more processing cores 401that may be designed to trap for SMM code that attempts to reach programcode outside of protected space; 2) a memory control hub (MCH) 402; 3) asystem memory 403 (of which different types exist such as DDR RAM, EDORAM, etc,); 4) a cache 404; 5) an I/O control hub (ICH) 405; 6) agraphics processor 406; 7) a display/screen 407 (of which differenttypes exist such as Cathode Ray Tube (CRT), flat panel, Thin FilmTransistor (TFT), Liquid Crystal Display (LCD), DPL, etc.) one or moreI/O devices 408.

The one or more processing cores 401 execute instructions in order toperform whatever software routines the computing system implements. Theinstructions frequently involve some sort of operation performed upondata. Both data and instructions are stored in system memory 403 andcache 404. Cache 404 is typically designed to have shorter latency timesthan system memory 403. For example, cache 404 might be integrated ontothe same silicon chip(s) as the processor(s) and/or constructed withfaster SRAM cells whilst system memory 403 might be constructed withslower DRAM cells. By tending to store more frequently used instructionsand data in the cache 404 as opposed to the system memory 403, theoverall performance efficiency of the computing system improves.

System memory 403 is deliberately made available to other componentswithin the computing system. For example, the data received from variousinterfaces to the computing system (e.g., keyboard and mouse, printerport, LAN port, modem port, etc.) or retrieved from an internal storageelement of the computing system (e.g., hard disk drive) are oftentemporarily queued into system memory 403 prior to their being operatedupon by the one or more processor(s) 401 in the implementation of asoftware program. Similarly, data that a software program determinesshould be sent from the computing system to an outside entity throughone of the computing system interfaces, or stored into an internalstorage element, is often temporarily queued in system memory 403 priorto its being transmitted or stored.

The ICH 405 is responsible for ensuring that such data is properlypassed between the system memory 403 and its appropriate correspondingcomputing system interface (and internal storage device if the computingsystem is so designed). The MCH 402 is responsible for managing thevarious contending requests for system memory 403 access amongst theprocessor(s) 401, interfaces and internal storage elements that mayproximately arise in time with respect to one another.

One or more I/O devices 408 are also implemented in a typical computingsystem. I/O devices generally are responsible for transferring data toand/or from the computing system (e.g., a networking adapter); or, forlarge scale non-volatile storage within the computing system (e.g., harddisk drive). ICH 405 has bi-directional point-to-point links betweenitself and the observed I/O devices 408.

Processes taught by the discussion above may be performed with programcode such as machine-executable instructions that cause a machine thatexecutes these instructions to perform certain functions. In thiscontext, a “machine” may be a machine that converts intermediate form(or “abstract”) instructions into processor specific instructions (e.g.,an abstract execution environment such as a “virtual machine” (e.g., aJava Virtual Machine), an interpreter, a Common Language Runtime, ahigh-level language virtual machine, etc.)), and/or, electroniccircuitry disposed on a semiconductor chip (e.g., “logic circuitry”implemented with transistors) designed to execute instructions such as ageneral-purpose processor and/or a special-purpose processor. Processestaught by the discussion above may also be performed by (in thealternative to a machine or in combination with a machine) electroniccircuitry designed to perform the processes (or a portion thereof)without the execution of program code.

It is believed that processes taught by the discussion above may also bedescribed in source level program code in various object-orientated ornon-object-orientated computer programming languages (e.g., Java, C#,VB, Python, C, C++, J#, APL, Cobol, Fortran, Pascal, Perl, etc.)supported by various software development frameworks (e.g., MicrosoftCorporation's .NET, Mono, Java, Oracle Corporation's Fusion, etc.). Thesource level program code may be converted into an intermediate form ofprogram code (such as Java byte code, Microsoft Intermediate Language,etc.) that is understandable to an abstract execution environment (e.g.,a Java Virtual Machine, a Common Language Runtime, a high-level languagevirtual machine, an interpreter, etc.) or may be compiled directly intoobject code.

According to various approaches the abstract execution environment mayconvert the intermediate form program code into processor specific codeby, 1) compiling the intermediate form program code (e.g., at run-time(e.g., a JIT compiler)), 2) interpreting the intermediate form programcode, or 3) a combination of compiling the intermediate form programcode at run-time and interpreting the intermediate form program code.Abstract execution environments may run on various operating systems(such as UNIX, LINUX, Microsoft operating systems including the Windowsfamily, Apple Computers operating systems including MacOS X,Sun/Solaris, OS/2, Novell, etc.).

An article of manufacture may be used to store program code. An articleof manufacture that stores program code may be embodied as, but is notlimited to, one or more memories (e.g., one or more flash memories,random access memories (static, dynamic or other)), optical disks,CD-ROMs, DVD ROMs, EPROMs, EEPROMs, magnetic or optical cards or othertype of machine-readable media suitable for storing electronicinstructions. Program code may also be downloaded from a remote computer(e.g., a server) to a requesting computer (e.g., a client) by way ofdata signals embodied in a propagation medium (e.g., via a communicationlink (e.g., a network connection)).

In the foregoing specification, the invention has been described withreference to specific exemplary embodiments thereof. It will, however,be evident that various modifications and changes may be made theretowithout departing from the broader spirit and scope of the invention asset forth in the appended claims. The specification and drawings are,accordingly, to be regarded in an illustrative rather than a restrictivesense.

What is claimed is:
 1. A method, comprising: detecting that a memoryaccess of system management mode program code is attempting to reachprogram code outside of a protected region of memory by comparing atarget memory address of a memory access instruction of said systemmanagement program code against information that defines confines ofsaid protection region; and raising an error signal in response to saiddetecting; and not raising an error signal even though a second memoryaccess instruction for program code targets memory space outside of saidprotected region because said second memory access instruction is beingfetched as a consequence of speculation.
 2. The method of claim 1wherein said information is stored in control register space.
 3. Themethod of claim 2 wherein said error signal includes setting a value insaid control register space.
 4. The method of claim 1 further comprisingraising an error signal because said speculation is deemed to have beencorrect.
 5. The method of claim 1 further comprising storing secondinformation pertaining to said memory access instruction and storing anaddress where said second information is stored.
 6. The method of claim5 wherein said address is stored in control register space.
 7. Asemiconductor chip, comprising: an instruction execution pipeline havinglogic circuitry to: detect that a memory access of system managementmode program code is attempting to reach program code outside of aprotected region of memory by comparing a target memory address of amemory access instruction of said system management program code againstinformation that defines confines of said protection region and raise anerror signal in response to the detection, and not raise an error signaleven though a second memory access instruction for program code targetsmemory space outside of said protected region because said second memoryaccess instruction is being fetched as a consequence of speculation. 8.The semiconductor chip of claim 7 wherein said logic circuitry iscoupled to control register space that stores said information.
 9. Thesemiconductor chip of claim 8 wherein said information defines a rangeof said protected region.
 10. The semiconductor chip of claim 9 whereinsaid logic circuitry is part of hardware table walk logic circuitrywithin said memory unit.
 11. The semiconductor chip of claim 7 whereinsaid logic circuitry is within a memory unit of said pipeline.
 12. Thesemiconductor chip of claim 7 wherein said logic writes an error signalto control register space in response to detection that said memoryaccess is attempting to reach said program code.
 13. A computing system,comprising: a processor having logic circuitry to detect that a memoryaccess of system management mode program code is attempting to reachprogram code outside of a protected region of memory by comparing atarget memory address of a memory access instruction of said systemmanagement program code against information that defines confines ofsaid protection region and raise an error signal in response to thedetection, and not raise an error signal even though a second memoryaccess instruction for program code targets memory space outside of saidprotected region because said second memory access instruction is beingfetched as a consequence of speculation; and handler program code withinsaid protected region of memory, said handler program code to readinformation descriptive of an error condition flagged by said logiccircuitry.
 14. The computing system of claim 13, wherein said logiccircuitry is coupled to control register space that stores saidinformation.
 15. The computing system of claim 14, wherein saidinformation defines a range of said protected region.
 16. The computingsystem of claim 13, wherein said logic circuitry is within a memory unitof said pipeline.
 17. The computing system of claim 13, wherein saidlogic circuitry is part of hardware table walk logic circuitry withinsaid memory unit.
 18. The computing system of claim 13, wherein saidlogic writes an error signal to control register space in response todetection that said memory access is attempting to reach said programcode.